Cyber Security: Where Does the Reasoning Begin?

I recently witnessed the most useful cyber security presentation I have seen, to date, at the Schneider Connect 2016 conference. The presentation, given by Gary Williams, Sr. Director, Technology, Cybersecurity, and Communications, essentially answered the important question that my AC /DC fundamentals professor would always ask to start a topic: Where does the reasoning begin?

Usually when I hear cybersecurity presentations, the speakers talk about serious consequences of cyber security and then overwhelm people, who are not familiar with the topic, with deep levels of details and intricacies. Williams definitely addressed the consequences. “In January of this year, it was calculated that there were 300,000 new malware per day” Williams shared, “As of yesterday, there were 700,000 per day with 30-% delivered in PDF documents.” He also presented statistics from Dimensional Research, showing that cybercrimes cost energy and utilities companies an average of $13.2 million each year, for lost business and damaged equipment. Further than that, 47% of energy organizations reported attacks, the highest among all corporate sectors.

Then, perhaps in reflections of his deep military and industry experience, Williams provided a process for cyber security protection.

The Williams Process

Gary Williams presents a cyber security process.

Williams noted that, “cyber security is not a project,” it is an ongoing process, one that everyone in the company is responsible for. “Be as aggressive as the hackers,” Williams instructed his audience and then used “AGGRESSIVE” as an acronym for his cybersecurity steps. His acronym for cybersecurity went as follows:

A – Adopt: Adopt a standard. Schneider Electric, for example, has adopted IEC 62443 since it applies to industries they serve. This standard adoption enables an organization to have a common vocabulary, throughout the company and the world.

G – Gap analysis: Determine where you want to be and where your cyber security protection is today. A gap analysis between these two points, helps organizations really understand their systems and what is required to meet the goal. “This is where you find the dirty laundry,” described Williams, “It is better for you to do this task than calling in a third party.”

R – Risk and threat assessment: Which of those gaps are critical to your business, operations, and environment? Once this is determined, a priority list should be created for resources and investment utilization.

E - Execute mitigation: “As you are executing mitigation, issues will come up that were not found in the gap analysis,” explained Williams, “Record them and do an autopsy.” He went on to explain that the recorded evidence is what is reported to management in order to give them the needed information to understand the threats and the required investments.

S – Survey the complete system: “Collect configuration files on firewalls, switches, and interfaces which are essential to recover from an intrusion or attack,” emphasized Williams

S – Store: Store configuration files securely on and off-site. Williams impressed that this information needs to be accessible within an acceptable timeframe for recovery. “Having it backed up is all well and good,” he stated, “But you need to practice the recovery as often as possible.”

I – Inform all stakeholders: “If you inform them, management will see the value of what they are getting from their investment and understand what the risk is without maintaining protection.”

V – Verify on a regular basis: Cyber security threats are dynamic, as Williams pointed out. “Cyber security threats are constantly changing, which means the threat vectors are changing.” Williams described, "what you put in today to secure system is not necessarily capable of securing it tomorrow.” He also suggested including everyone in cybersecurity efforts, even if they weren’t traditionally involved in these areas. Williams stated that doing this “will make them more aware and they become people that will protect systems.”

E – Educate everyone: “Education is probably the most important function,” affirmed Williams, “The two engineers in your control room, if educated, are your first line of defense, they should be able to isolate and identify threats and then you can call in the experts.”

Zones & Conduits

Williams believes that configuring a system, using the principles of ISA99 and IEC 62443, into zones that conform to the familiar five layer model. This segregates functional areas, where information conduits communicate, between levels as the most productive organizing principle. It is important to remember that with the proliferation of communication networks, including wireless, there may be multiple conduits between levels that need to be considered for cyber security. Using a standard architecture enables a common view of systems, segregation, and approach.

The use of multiple zones within a level is used to group areas together for protection using separate conduits for each.

Cyber security, as Williams drove home throughout the presentation, is an ongoing sleepless task for today’s businesses. “Cyber security is a moving target and the standards are nothing more than a guidance,” Williams warned in closing, “Be sure to seek cyber security experts, when you face new challenges.”